[177101] in North American Network Operators' Group
Re: Charter ARP Leak
daemon@ATHENA.MIT.EDU (Valdis.Kletnieks@vt.edu)
Mon Dec 29 11:50:03 2014
X-Original-To: nanog@nanog.org
To: "Stephen R. Carter" <stephen.carter@gltgc.org>
In-Reply-To: Your message of "Mon, 29 Dec 2014 03:44:48 +0000."
<F2E1B95AF83AA042957EFA7F0518B0D52ADC32FC@EXCHANGE1.gltgc.local>
From: Valdis.Kletnieks@vt.edu
Date: Mon, 29 Dec 2014 11:49:48 -0500
Cc: "nanog@nanog.org" <nanog@nanog.org>
Errors-To: nanog-bounces@nanog.org
--==_Exmh_1419871788_1876P
Content-Type: text/plain; charset="us-ascii"
Content-Id: <150422.1419871778.1@turing-police.cc.vt.edu>
Content-Transfer-Encoding: quoted-printable
On Mon, 29 Dec 2014 03:44:48 +0000, "Stephen R. Carter" said:
> Here is a small excerpt I am seeing.
> =
> 06:04:04.760869 In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype ARP=
(0x0806), length 60: arp who-has 97.85.59.219 tell 97.85.58.1
> 06:04:04.761950 In 00:21:a0:fb:53:d9 > ff:ff:ff:ff:ff:ff, ethertype ARP=
(0x0806), length 60: arp who-has 75.135.155.27 tell 75.135.152.1
The interesting thing is that they're all .1 addresses. It's almost as if
the one broadcast domain has at least 7 different address spaces on it.
I've long seen similar in Comcast country. My CPE router has an upstream
interface:
ge00 Link encap:Ethernet HWaddr 10:0D:7F:64:CA:0C =
inet addr:73.171.123.11 Bcast:73.171.123.255 Mask:255.255.254.=
0
but yet I see a continual background flux of 6-8 arp requests a second, mo=
stly
from what appear to be routers for other subnets:
# cpdump -i ge00 -n arp -c 2000 | awk '{print $7}' | sort | uniq -c
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on ge00, link-type EN10MB (Ethernet), capture size 65535 bytes
2000 packets captured
2012 packets received by filter
0 packets dropped by kernel
38 100.93.216.1,
16 184.121.18.1,
18 184.126.32.1,
36 24.127.42.1,
34 24.127.50.1,
20 24.131.5.1,
18 50.134.17.1,
17 50.134.55.1,
37 50.134.64.1,
91 50.218.88.1,
142 50.220.88.1,
298 71.197.0.1,
183 71.62.120.1,
81 71.63.61.1,
167 73.171.122.1, (my putative upstream router)
1 73.171.123.11, (my box timed out its arp entry for upstream)
131 73.171.77.1,
511 73.31.150.1,
157 73.31.41.1,
3 96.120.18.205,
I've annotated the 2 lines I *expected* to see...
The other odd part is that of 20 sources, only 7 appear to have PTR entrie=
s....
When I first noticed this and mentioned it to somebody, they responded
"Forget it, Jake. It's Chinatown".
--==_Exmh_1419871788_1876P
Content-Type: application/pgp-signature
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1
Comment: Exmh version 2.5 07/13/2001
iQIVAwUBVKGGLAdmEQWDXROgAQK0ghAAsWCS/s0vx08+QiEJPh09AjPIzX615me6
9r1VZVBQ3TZN6/FUUmfxZlZiiRRh678IWKzLeFXiotvkbIi4ouQqqvAokAw2+Ml6
sXZrrZLeiTyLUz+aRSh/Hpl1aJAx5AuvqjHJzMOBWRB3NQw785qIL7haWxV4ent3
IAxpN0LDFKQt0FGiboDP2A8Nrd/up2klQ84pyssGuQ4s2iNiENGco0aNfl4WsRmu
5svLk35s0RlF9abMY8U88WrX5vu1aKKHY07H9yhoSAIvL+kdeSGpFXgffC8r14yb
uxp/ZUjf3HqyX+ixzXEtJLsZI7bGwWPjmpji0temgzQvd/AwS2Sren9OeECO1DB3
MTcIJUxpBEB7VE7wXL5tbtNGQEQksR6N1eif4ddt7FR/BB6e47YjhtoQLHDX0MID
YlB7EVoet9iASZNqheHv2DkWJonVnS4gwHG30eXKgo3tVHZ33d9O5nwo6L2bW5tH
XW368TI1U3IQg88QLdwx8Vi7zeYbFZfNYs6GR+bGEvzGr8lVliieKtH6PUAGS5xA
Aubqzzg8H3XvJxPKFnjpxdLBtwqMohRCm7/GXRvzb2jM81q5xk1RZE9ppBrLY3mh
g5rY9GiOyd1vBMaIC1E1A6IMgdBvojfM/HKYL8TCaXw9PlIpkO4/S8eCSnon1A7f
AB4TQSczZgA=
=pgAw
-----END PGP SIGNATURE-----
--==_Exmh_1419871788_1876P--
